General
-
Target
8b0378d056cfc17fb9b17ce0fd5c134ab6fb620b930f41aa8779f566b03d1c61
-
Size
1.1MB
-
Sample
250109-yn9t3ayrft
-
MD5
72e8eb9c66f2263e9996d23bee242a57
-
SHA1
b80812c819a564178c413f88a8b258524a9e3000
-
SHA256
8b0378d056cfc17fb9b17ce0fd5c134ab6fb620b930f41aa8779f566b03d1c61
-
SHA512
e323879f482dc2d68d0148ce0d5e84110a760596c5ae15078c2ef5b6fb4552419ad13c6a31c85e5f5caf5c014cf485708effbfbc760fb4f5ce30c2ecf271e4b7
-
SSDEEP
24576:iu6J33O0c+JY5UZ+XC0kGsoTGcjr1I1lOq6sb8hTH7NWYb:Eu0c++OCvkGsEGcjr1i6skHUYb
Malware Config
Extracted
pony
http://185.79.156.18/bit/03/gate.php
Targets
-
-
Target
8b0378d056cfc17fb9b17ce0fd5c134ab6fb620b930f41aa8779f566b03d1c61
-
Size
1.1MB
-
MD5
72e8eb9c66f2263e9996d23bee242a57
-
SHA1
b80812c819a564178c413f88a8b258524a9e3000
-
SHA256
8b0378d056cfc17fb9b17ce0fd5c134ab6fb620b930f41aa8779f566b03d1c61
-
SHA512
e323879f482dc2d68d0148ce0d5e84110a760596c5ae15078c2ef5b6fb4552419ad13c6a31c85e5f5caf5c014cf485708effbfbc760fb4f5ce30c2ecf271e4b7
-
SSDEEP
24576:iu6J33O0c+JY5UZ+XC0kGsoTGcjr1I1lOq6sb8hTH7NWYb:Eu0c++OCvkGsEGcjr1i6skHUYb
Score10/10-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-